Add latest changes from gitlab-org/gitlab@master

9 files changed, 34 insertions, 73 deletions

diff --git a/data/deprecations/15-9-php-python-dev-dependencies.yml b/data/deprecations/15-9-php-python-dev-dependencies.yml
new file mode 100644
index 00000000000..f76bc3db5cb
--- /dev/null
+++ b/data/deprecations/15-9-php-python-dev-dependencies.yml
@@ -0,0 +1,9 @@
+- title: "Development dependencies reported for PHP and Python"
+  announcement_milestone: "15.9"
+  removal_milestone: "16.0"
+  breaking_change: true
+  reporter: sam.white
+  stage: secure
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/375505
+  body: |
+    In GitLab 16.0 the GitLab Dependency Scanning analyzer will begin reporting development dependencies for both Python/pipenv and PHP/composer projects. Users who do not wish to have these development dependencies reported should set `DS_INCLUDE_DEV_DEPENDENCIES: false` in their CI/CD file.
diff --git a/doc/administration/instance_limits.md b/doc/administration/instance_limits.md
index 8cdf27b58e8..e4f4b234a15 100644
--- a/doc/administration/instance_limits.md
+++ b/doc/administration/instance_limits.md
@@ -655,7 +655,6 @@ setting is used:
 | `ci_max_artifact_size_archive`                    | 0             |
 | `ci_max_artifact_size_browser_performance`        | 0             |
 | `ci_max_artifact_size_cluster_applications`       | 0             |
-| `ci_max_artifact_size_cluster_image_scanning`     | 0             |
 | `ci_max_artifact_size_cobertura`                  | 0             |
 | `ci_max_artifact_size_codequality`                | 0             |
 | `ci_max_artifact_size_container_scanning`         | 0             |
diff --git a/doc/ci/yaml/artifacts_reports.md b/doc/ci/yaml/artifacts_reports.md
index ced620195b4..6b15f90cbc7 100644
--- a/doc/ci/yaml/artifacts_reports.md
+++ b/doc/ci/yaml/artifacts_reports.md
@@ -67,19 +67,6 @@ GitLab can display the results of one report in the merge request
 
 GitLab cannot display the combined results of multiple `browser_performance` reports.
 
-## `artifacts:reports:cluster_image_scanning` **(ULTIMATE)**
-
-> - Introduced in GitLab 14.1.
-> - Requires GitLab Runner 14.1 and above.
-
-The `cluster_image_scanning` report collects `CLUSTER_IMAGE_SCANNING` vulnerabilities. The collected
-`CLUSTER_IMAGE_SCANNING` report uploads to GitLab as an artifact.
-
-GitLab can display the results of one or more reports in:
-
-- The [security dashboard](../../user/application_security/security_dashboard/index.md).
-- The [Project Vulnerability report](../../user/application_security/vulnerability_report/index.md).
-
 ## `artifacts:reports:coverage_report`
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/344533) in GitLab 14.10.
diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md
index bf1a3bfab08..002579d9b83 100644
--- a/doc/development/integrations/secure.md
+++ b/doc/development/integrations/secure.md
@@ -31,7 +31,6 @@ For consistency, scanning jobs should be named after the scanner, in lower case.
 The job name is suffixed after the type of scanning:
 
 - `_dependency_scanning`
-- `_cluster_image_scanning`
 - `_container_scanning`
 - `_dast`
 - `_sast`
@@ -79,7 +78,6 @@ Valid reports are:
 
 - `dependency_scanning`
 - `container_scanning`
-- `cluster_image_scanning`
 - `dast`
 - `api_fuzzing`
 - `coverage_fuzzing`
@@ -108,7 +106,6 @@ for variables such as:
 
 - `DEPENDENCY_SCANNING_DISABLED`
 - `CONTAINER_SCANNING_DISABLED`
-- `CLUSTER_IMAGE_SCANNING_DISABLED`
 - `SAST_DISABLED`
 - `DAST_DISABLED`
 
@@ -214,19 +211,6 @@ using the variables `DOCKER_USER` and `DOCKER_PASSWORD`.
 If these are not defined, then the scanner should use
 `CI_REGISTRY_USER` and `CI_REGISTRY_PASSWORD` as default values.
 
-#### Cluster Image Scanning
-
-To be consistent with the official `cluster_image_scanning` for GitLab, scanners must scan the
-Kubernetes cluster whose configuration is given by `KUBECONFIG`.
-
-If you use the `CIS_KUBECONFIG` CI/CD variable, then the
-`KUBECONFIG` variable is ignored and the cluster specified in the
-`CIS_KUBECONFIG` variable is scanned instead. If you don't provide
-the `CIS_KUBECONFIG` CI/CD variable, the value defaults to the value of
-`$KUBECONFIG`. `$KUBECONFIG` is a predefined CI/CD variable configured when the project is assigned to a
-Kubernetes cluster. When multiple contexts are provided in the `KUBECONFIG` variable, the context
-selected as `current-context` is used to fetch vulnerabilities.
-
 #### Configuration files
 
 While scanners may use `CI_PROJECT_DIR` to load specific configuration files,
@@ -320,7 +304,6 @@ and [Container Scanning](../../user/application_security/container_scanning/inde
 
 You can find the schemas for these scanners here:
 
-- [Cluster Image Scanning](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/cluster-image-scanning-report-format.json)
 - [Container Scanning](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json)
 - [Coverage Fuzzing](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/coverage-fuzzing-report-format.json)
 - [DAST](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/dast-report-format.json)
@@ -414,7 +397,6 @@ We recommend that you generate a UUID and use it as the `id` field's value.
 The value of the `category` field matches the report type:
 
 - `dependency_scanning`
-- `cluster_image_scanning`
 - `container_scanning`
 - `sast`
 - `dast`
@@ -604,40 +586,6 @@ so these attributes are mandatory.
 The `image` is also mandatory.
 All other attributes are optional.
 
-##### Cluster Image Scanning
-
-The `location` of a `cluster_image_scanning` vulnerability has a `dependency` field. It also has
-an `operating_system` field. For example, here is the `location` object for a vulnerability
-affecting version `2.50.3-2+deb9u1` of Debian package `glib2.0`:
-
-```json
-{
-    "dependency": {
-        "package": {
-            "name": "glib2.0"
-        },
-    },
-    "version": "2.50.3-2+deb9u1",
-    "operating_system": "debian:9",
-    "image": "index.docker.io/library/nginx:1.18",
-    "kubernetes_resource": {
-        "namespace": "production",
-        "kind": "Deployment",
-        "name": "nginx-ingress",
-        "container_name": "nginx",
-        "agent_id": "1"
-    }
-}
-```
-
-The affected package is found when scanning a deployment using the `index.docker.io/library/nginx:1.18` image.
-
-The location fingerprint of a Cluster Image Scanning vulnerability combines the
-`namespace`, `kind`, `name`, and `container_name` fields from the `kubernetes_resource`,
-as well as the package `name`, so these fields are required. The `image` field is also mandatory.
-The `cluster_id` and `agent_id` are mutually exclusive, and one of them must be present.
-All other fields are optional.
-
 ##### SAST
 
 The `location` of a SAST vulnerability must have a `file` and a `start_line` field,
diff --git a/doc/topics/autodevops/cicd_variables.md b/doc/topics/autodevops/cicd_variables.md
index 169d34aad77..b22b4677f24 100644
--- a/doc/topics/autodevops/cicd_variables.md
+++ b/doc/topics/autodevops/cicd_variables.md
@@ -94,7 +94,6 @@ Use these variables to disable CI/CD jobs.
 | `bandit-sast`                          | `SAST_DISABLED`                 |                       | If the variable is present, the job isn't created. |
 | `brakeman-sast`                        | `SAST_DISABLED`                 |                       | If the variable is present, the job isn't created. |
 | `canary`                               | `CANARY_ENABLED`                |                       | This manual job is created if the variable is present. |
-| `cluster_image_scanning`               | `CLUSTER_IMAGE_SCANNING_DISABLED` |                     | If the variable is present, the job isn't created. |
 | `code_intelligence`                    | `CODE_INTELLIGENCE_DISABLED`    | From GitLab 13.6      | If the variable is present, the job isn't created. |
 | `code_quality`                         | `CODE_QUALITY_DISABLED`         |                       | If the variable is present, the job isn't created. |
 | `container_scanning`                   | `CONTAINER_SCANNING_DISABLED`   |                       | If the variable is present, the job isn't created. |
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 1a272e4a609..e2ac52929e0 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -94,6 +94,20 @@ When using the native HashiCorp Vault integration, CI/CD jobs will fail when no
 
 <div class="deprecation removal-160 breaking-change">
 
+### Development dependencies reported for PHP and Python
+
+Planned removal: GitLab <span class="removal-milestone">16.0</span> <span class="removal-date"></span>
+
+WARNING:
+This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/).
+Review the details carefully before upgrading.
+
+In GitLab 16.0 the GitLab Dependency Scanning analyzer will begin reporting development dependencies for both Python/pipenv and PHP/composer projects. Users who do not wish to have these development dependencies reported should set `DS_INCLUDE_DEV_DEPENDENCIES: false` in their CI/CD file.
+
+</div>
+
+<div class="deprecation removal-160 breaking-change">
+
 ### Embedding Grafana panels in Markdown is deprecated
 
 Planned removal: GitLab <span class="removal-milestone">16.0</span> <span class="removal-date"></span>
diff --git a/doc/user/application_security/policies/scan-execution-policies.md b/doc/user/application_security/policies/scan-execution-policies.md
index e679ed907e9..f624bc95036 100644
--- a/doc/user/application_security/policies/scan-execution-policies.md
+++ b/doc/user/application_security/policies/scan-execution-policies.md
@@ -89,7 +89,7 @@ This rule enforces the defined actions and schedules a scan on the provided date
 | `type`     | `string` | `schedule` | The rule's type. |
 | `branches` | `array` of `string` | `*` or the branch's name | The branch the given policy applies to (supports wildcard). This field is required if the `agents` field is not set. |
 | `cadence`  | `string` | CRON expression (for example, `0 0 * * *`) | A whitespace-separated string containing five fields that represents the scheduled time. |
-| `agents`   | `object` | | The name of the [GitLab agents](../../clusters/agent/index.md) where [cluster image scanning](../../clusters/agent/vulnerabilities.md) runs. The object key is the name of the Kubernetes agent configured for your project in GitLab. This field is required if the `branches` field is not set. |
+| `agents`   | `object` | | The name of the [GitLab agents](../../clusters/agent/index.md) where [Operational Container Scanning](../../clusters/agent/vulnerabilities.md) runs. The object key is the name of the Kubernetes agent configured for your project in GitLab. This field is required if the `branches` field is not set. |
 
 GitLab supports the following types of CRON syntax for the `cadence` field:
 
diff --git a/doc/user/application_security/terminology/index.md b/doc/user/application_security/terminology/index.md
index 1ce5d58c73b..772a7d17e1e 100644
--- a/doc/user/application_security/terminology/index.md
+++ b/doc/user/application_security/terminology/index.md
@@ -257,7 +257,6 @@ once it's imported into the database.
 Describes the type of scan. This must be one of the following:
 
 - `api_fuzzing`
-- `cluster_image_scanning`
 - `container_scanning`
 - `coverage_fuzzing`
 - `dast`
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 94c063be564..a62a3255093 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -6036,6 +6036,12 @@ msgstr ""
 msgid "Automatically update this project's branches and tags from the upstream repository."
 msgstr ""
 
+msgid "Automation"
+msgstr ""
+
+msgid "Automation|Automation App"
+msgstr ""
+
 msgid "Autosave|Note"
 msgstr ""
 
@@ -12715,7 +12721,7 @@ msgstr ""
 msgid "DastProfiles|Enter URLs in a comma-separated list."
 msgstr ""
 
-msgid "DastProfiles|Enter headers in a comma-separated list."
+msgid "DastProfiles|Enter a comma-separated list of request header names and values. DAST adds header to every request."
 msgstr ""
 
 msgid "DastProfiles|Error Details"
@@ -12733,6 +12739,9 @@ msgstr ""
 msgid "DastProfiles|Excluded paths (optional)"
 msgstr ""
 
+msgid "DastProfiles|Headers will appear in vulnerability reports. %{linkStart}Only some headers are automatically masked%{linkEnd}."
+msgstr ""
+
 msgid "DastProfiles|Hide debug messages"
 msgstr ""
 
@@ -12799,9 +12808,6 @@ msgstr ""
 msgid "DastProfiles|Profile name"
 msgstr ""
 
-msgid "DastProfiles|Request header names and values. Headers are added to every request made by DAST."
-msgstr ""
-
 msgid "DastProfiles|Request headers"
 msgstr ""